CVE-2026-29778

HighPublic PoC

Published: 07 March 2026

Published

07 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

EPSS Score 0.0002 5.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29778 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Pyload-Ng Project Pyload-Ng. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Path traversal in network-accessible pyLoad web function directly enables exploitation of the public-facing app (T1190) and facilitates unauthorized stored file modifications outside intended directories (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

pyLoad is a free and open-source download manager written in Python. From version 0.5.0b3.dev13 to 0.5.0b3.dev96, the edit_package() function implements insufficient sanitization for the pack_folder parameter. The current protection relies on a single-pass string replacement of "../", which can be…

bypassed using crafted recursive traversal sequences. This issue has been patched in version 0.5.0b3.dev97.

Deeper analysisAI

CVE-2026-29778 is a path traversal vulnerability (CWE-23) in pyLoad, a free and open-source download manager written in Python. The issue affects the edit_package() function, which inadequately sanitizes the pack_folder parameter by relying on a single-pass string replacement of "../". This protection can be bypassed using crafted recursive traversal sequences. Vulnerable versions range from 0.5.0b3.dev13 to 0.5.0b3.dev96, with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L).

The vulnerability can be exploited by low-privilege authenticated users (PR:L) over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables directory traversal, resulting in high integrity impact (I:H), such as unauthorized modifications to files outside the intended directory, alongside low availability impact (A:L) and no confidentiality loss (C:N).

pyLoad has patched this issue in version 0.5.0b3.dev97. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/pyload/pyload/security/advisories/GHSA-6px9-j4qr-xfjw.